Privacy Policy

Last updated: April 15, 2026 · Effective: April 15, 2026

This Privacy Policy describes how Timeo Sdn. Bhd. ("Timeo", "we", "our", or "us") collects, uses, stores, discloses, and protects your personal data when you use the Timeo web application at timeo.my, the Timeo customer mobile app, the Timeo Staff mobile app, and any related services (collectively, the "Services").

We comply with the Malaysian Personal Data Protection Act 2010 ("PDPA") and follow the disclosure requirements of the Apple App Store and Google Play.

1. Data we collect

1.1 Data you provide

  • Account data — name, email address, phone number, password hash, profile photo (optional), and your role (customer, staff, owner).
  • Booking data — services selected, staff preferences, dates/times, notes, cancellation reasons.
  • Business data (owners/staff) — business name, address, operating hours, tax registration, services, pricing, and staff rosters.
  • Payment data — card or bank details are entered directly into our payment processors (Stripe, Billplz, iPay88); Timeo never sees or stores your full card number. We retain only a non-sensitive token, the last four digits, card brand, and the transaction reference.
  • Communications — messages you send to support, review comments, feedback.

1.2 Data collected automatically

  • Device & technical data — IP address, device model, operating system, app version, crash logs, and approximate timezone.
  • Push notification tokens — Expo push tokens (which wrap APNs and FCM tokens) so we can send booking reminders and shift alerts.
  • Usage data — in-app actions (screens viewed, bookings made) for product analytics and abuse prevention.
  • Location (Staff app only, optional) — when you clock in, we capture a single location sample so your manager can verify on-site presence. We do not track location in the background.

2. How we use your data

  • Provide and operate the Services (accounts, bookings, payments, messaging).
  • Send transactional notifications (booking confirmations, reminders, receipts).
  • Prevent fraud, abuse, and unauthorised access.
  • Improve the product through aggregate analytics.
  • Comply with our legal obligations (tax, accounting, lawful requests).
  • With your consent, send you marketing communications — you can opt out any time.

3. Legal basis (PDPA)

We process your personal data on the basis of your consent, the performance of a contract you have entered with us, our legitimate interests in running the Services, and compliance with our legal obligations.

4. Third-party service providers

We share data with trusted processors who act on our instructions under data protection agreements:

  • Stripe — international card payments (stripe.com/privacy).
  • Billplz — FPX online banking in Malaysia (billplz.com/privacy).
  • iPay88— local card & e-wallet acquiring (ipay88.com.my).
  • Resend — transactional email delivery (resend.com/legal/privacy-policy).
  • Twilio — SMS notifications (twilio.com/legal/privacy).
  • Google Calendar — optional two-way calendar sync (only if you authorise it).
  • Expo Push (Expo Application Services) — push notification delivery to iOS and Android.
  • Cloud infrastructure — Vercel (web hosting) and AWS (databases), both operating data centres in Singapore.

We never sell your personal data.

5. International transfers

Your data is primarily stored in Singapore. Some processors (Stripe, Resend, Twilio) may transfer data to the United States or the European Union. Where required by PDPA, we rely on your consent or standard contractual clauses that provide equivalent protection.

6. Data retention

  • Account & booking data — kept while your account is active and for up to 7 years after closure to comply with Malaysian tax and accounting law.
  • Payment records — 7 years as required by the Inland Revenue Board.
  • Crash logs & analytics — up to 90 days.
  • Push tokens — deleted when you sign out of the app or uninstall it.

7. Your rights

Under PDPA and applicable law you have the right to:

  • Access — request a copy of your personal data.
  • Correct — ask us to fix inaccurate data.
  • Delete — request account and data deletion.
  • Port — receive your data in a machine-readable format.
  • Withdraw consent — at any time, for processing based on consent.
  • Complain — to the Malaysian Personal Data Protection Commissioner.

To exercise any right, email privacy@timeo.my or visit our Data Deletion page.

8. Security

We protect your data with TLS 1.2+ in transit, AES-256 encryption at rest, scoped access controls, audit logs, and regular backups. No system is perfectly secure; if you suspect a breach involving your account, contact us immediately.

9. Children's privacy

Timeo is not intended for children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us data, contact us and we will delete it.

10. Cookies & similar technologies

Our website uses cookies as described in our Cookie Policy. Our mobile apps do not use browser cookies; they use secure on-device storage for session tokens only.

11. Changes to this policy

We may update this policy. Material changes will be notified in-app or by email at least 14 days before taking effect.

12. Contact us

Timeo Sdn. Bhd.
Data Protection Officer
Email: privacy@timeo.my
Support: support@timeo.my